Skip to content

Security Information#

Updated the following middleware component versions to enhance security and performance in MSR:

  • [MSRH-732] Golang v1.25.11
  • [MSRH-833] Immutable.js v3.8.3

Resolved CVEs#

CVE Image mitigated Problem details
CVE-2026-9150 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/registry-photon
A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system.
CVE-2026-9149 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/registry-photon
A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted .solv file containing negative size values in the repo_add_solv function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS).
CVE-2026-9076 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key().
CVE-2026-8643 harbor/prepare pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.
CVE-2026-7598 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.
CVE-2026-7383 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow.
CVE-2026-7168 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/redis-photon
harbor/registry-photon
harbor/trivy-adapter-photon
Successfully using libcurl to do a transfer over a specific HTTP proxy (proxyA) with Digest authentication and then changing the proxy host to a second one (proxyB) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to proxyB.
CVE-2026-7009 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/redis-photon
harbor/registry-photon
harbor/trivy-adapter-photon
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine.
CVE-2026-6732 harbor/harbor-db A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.
CVE-2026-6357 harbor/prepare pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.
CVE-2026-6100 harbor/prepare Use-after-free (UAF) was possible in the lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile when a memory allocation fails with a MemoryError and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a MemoryError is raised during decompression. Using the helper functions to one-shot decompress data such as lzma.decompress(), bz2.decompress(), gzip.decompress(), and zlib.decompress() are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.
CVE-2026-6019 harbor/prepare http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
CVE-2026-5928 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.
CVE-2026-5450 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.
CVE-2026-46598 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.
CVE-2026-46597 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.
CVE-2026-46595 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
CVE-2026-45447 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification.
CVE-2026-45446 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages.
CVE-2026-45445 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded.
CVE-2026-45186 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.
CVE-2026-42770 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership.
CVE-2026-42769 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level.
CVE-2026-42768 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output.
CVE-2026-42767 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application.
CVE-2026-42766 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption.
CVE-2026-42765 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
When a partial-chain certificate verification is enabled together with OCSP response checking for the whole chain, a NULL dereference will happen if the verified chain does not have a self-signed trusted anchor, crashing the process.
CVE-2026-42764 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled.
CVE-2026-42508 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.
CVE-2026-42507 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
harbor/registry-photon
When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.
CVE-2026-42506 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
CVE-2026-42504 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
harbor/registry-photon
Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.
CVE-2026-42502 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
CVE-2026-42499 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
harbor/registry-photon
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
CVE-2026-42011 harbor/harbor-db
harbor/harbor-log
A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.
CVE-2026-42010 harbor/harbor-db
harbor/harbor-log
A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.
CVE-2026-41889 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.
CVE-2026-39836 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
harbor/registry-photon
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
CVE-2026-39835 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.
CVE-2026-39834 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.
CVE-2026-39833 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.
CVE-2026-39832 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.
CVE-2026-39831 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.
CVE-2026-39830 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
CVE-2026-39829 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
CVE-2026-39828 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.
CVE-2026-39827 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.
CVE-2026-39826 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
harbor/registry-photon
If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.
CVE-2026-39825 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
harbor/registry-photon
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.
CVE-2026-39824 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.
CVE-2026-39823 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
harbor/registry-photon
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.
CVE-2026-39821 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
CVE-2026-39820 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
harbor/registry-photon
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
CVE-2026-3833 harbor/harbor-db
harbor/harbor-log
A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of nameConstraints labels, specifically for dNSName (DNS) or rfc822Name (email) constraints within excludedSubtrees or permittedSubtrees. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.
CVE-2026-34743 harbor/harbor-core
harbor/harbor-portal
harbor/nginx-photon
XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.
CVE-2026-34183 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames.
CVE-2026-34182 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises.
CVE-2026-34181 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery.
CVE-2026-34180 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms.
CVE-2026-33846 harbor/harbor-db
harbor/harbor-log
A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.
CVE-2026-33845 harbor/harbor-db
harbor/harbor-log
A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.
CVE-2026-33814 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
harbor/registry-photon
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
CVE-2026-33811 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
harbor/registry-photon
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
CVE-2026-32952 harbor/harbor-core go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using ntlmssp.Negotiator as an HTTP transport. Version 0.1.1 patches the issue.
CVE-2026-32286 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.
CVE-2026-3219 harbor/prepare pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
CVE-2026-3087 harbor/prepare If shutil.unpack_archive() is given a ZIP archive with an absolute Windows path containing a drive (C:\\...) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.
CVE-2026-27171 harbor/harbor-core
harbor/harbor-db
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/prepare
harbor/registry-photon
harbor/trivy-adapter-photon
zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.
CVE-2026-27145 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-registryctl
harbor/registry-photon
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.
CVE-2026-27136 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
CVE-2026-25681 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
CVE-2026-25680 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
CVE-2026-2297 harbor/prepare The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
CVE-2026-11824 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/registry-photon
harbor/trivy-adapter-photon
SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.
CVE-2026-11822 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/registry-photon
harbor/trivy-adapter-photon
SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.
CVE-2026-0992 harbor/harbor-db A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.
CVE-2026-0990 harbor/harbor-db A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.
CVE-2026-0989 harbor/harbor-db A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.
CVE-2025-9714 harbor/harbor-db Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions xmlXPathRunEval, xmlXPathCtxtCompile, and xmlXPathEvalExpr were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled.
CVE-2025-8732 harbor/harbor-db A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."
CVE-2025-69720 harbor/harbor-core
harbor/harbor-exporter
harbor/harbor-jobservice
harbor/harbor-log
harbor/harbor-portal
harbor/harbor-registryctl
harbor/nginx-photon
harbor/registry-photon
harbor/trivy-adapter-photon
The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.
CVE-2025-13462 harbor/prepare The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.
CVE-2022-49043 harbor/harbor-db xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
CVE-2022-29824 harbor/harbor-db In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf) and tree.c (xmlBuffer) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
CVE-2022-23308 harbor/harbor-db valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.
CVE-2021-3541 harbor/harbor-db A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
CVE-2021-3537 harbor/harbor-db A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
CVE-2021-3518 harbor/harbor-db There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
CVE-2021-3517 harbor/harbor-db There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
CVE-2021-3516 harbor/harbor-db There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.
CVE-2020-7595 harbor/harbor-db xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
CVE-2020-24977 harbor/harbor-db GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.
CVE-2019-20388 harbor/harbor-db xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.
CVE-2019-19956 harbor/harbor-db xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.
CVE-2016-3709 harbor/harbor-db Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
CVE-2024-55565 "nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.